PingOne Quick Start Guides How to Set Up a PingFederate Connection to the PingOne Dock Version 1.1 December 2014 Created by: Ping Identity Support
Disclaimer This document is proprietary and not for general publication. It may be provided ad hoc for informational purposes only, and the information herein is subject to change without notice. Ping Identity does not provide any warranties and specifically disclaims any liability in connection with this document. Note that Ping Identity may not provide support for any sample configurations provided in this document. The variability inherent among security environments prevents full testing and support for all possible platform configurations. If you need special assistance or would like to inquire about implementation or support programs, please contact Ping Identity Global Client Services (support.pingidentity.com). Contact Information Ping Identity Corporation 1001 17th Street Suite 100 Denver, CO 80202 U.S.A. Direct: 303.468.2900 Sales: 877.898.2905 Fax: 303.468.2909 E- - - mail: info@pingidentity.com Web Site: http://www.pingidentity.com 2014 Ping Identity Corporation. All rights reserved. Page 2
Contents Disclaimer... 2 Contact Information... 2 Introduction... 4 1. Setting up the PingOne Dock on PingOne... 4 1.1. Beginning Identity Bridge Setup... 4 1.2. Creating the PingFederate Connection to PingOne... 8 1.3. Exporting PingFederate Metadata... 11 1.4. Completing Identity Bridge Setup... 13 1.5. Testing the PingOne Dock Access... 18 2. Adding Applications to the PingOne Dock & Managing User Access... 19 2.1. Add an existing SSO URL or Non- - SSO URL to the PingOne Dock... 19 2.2. Managing User Groups... 21 2.3. Adding an Application from the Application Catalog... 22 2.4. Manually Adding a New SAML Application... 26 2.5. Manually Adding a Basic SSO Application... 31 Page 3
Introduction This guide is intended to help PingFederate administrators set up the PingOne Dock (formerly called CloudDesktop). It walks an administrator though how to set up the SAML connection to PingOne and configure the PingOne Dock. 1. Setting up the PingOne Dock on PingOne This guide assumes you have registered a PingOne Employee SSO account at the PingOne registration page here: https://admin.pingone.com/web-portal/register/ For more information on PingOne in general, refer to the online documentation found here: http://documentation.pingidentity.com/pingone/employeessoadminguide/#admin Overview.html 1.1. Beginning Identity Bridge Setup a. After completing registration you will see your PingOne Dashboard. Click on Setup in the top right of the menu bar to begin. Page 4
b. PingOne supports a number of Identity Bridges. Choose Ping Federate (SAML) and click on Setup to continue. Page 5
c. Click on Download Metadata File located on the right half of the page. This will allow you to save the PingOne Metadata File to a system that has browser access to your PingFederate server. You ll need this file to set up a connection within PingFederate, momentarily. After downloading the file click on Continue to Next Step. Note that your PingOne Metadata file will be different depending on whether Enable an account-specific Entity ID is selected. If you intend to use this identity bridge for more than one PingOne account, select Enable an account-specific Entity ID. See Connections to Multiple PingOne Accounts for more information. The result is a unique EntityID and the metadata file will be dynamically updated to reflect this: Page 6
By default, this is unchecked and the default EntityID is PingConnect. Page 7
1.2. Creating the PingFederate Connection to PingOne Access your PingFederate instance and import the PingOne Metadata file you downloaded. You will either need to create a new IDP Authentication Adapter or utilize an existing one for this connection. The PingFederate connection wizard will walk you through this process. Detailed in this section you will find example summaries of a PingFederate connection configuration. You can use these as a guide to understand what are the most important variables and settings to have configured for creating the connection to PingOne. - - - SP Connection Verify that the Entity ID and Base URL match what is shown in the screenshot. This information would have been automatically added if you used the PingOne Metadata file to create the connection. Page 8
- - - Browser SSO At a minimum, both IdP-Initiated SSO and SP-Initiated SSO should be set to true. PingOne also supports SLO, so these options can be enabled in PingFederate if the feature is available with the Service Providers. Page 9
- - - Assertion Creation PingOne requires the attributes SAML_SUBECT and memberof in the SAML Assertion it receives from PingFederate. SAML_SUBJECT identifies the user, while the memberof attribute allows administrators to control what applications are viewed in the PingOne Dock by particular AD Groups. Application access is configured in the User Groups area of the admin portal, which is covered in section 2.2 Managing User Groups. *Note: The attributes fname and lname are both optional, but if added they are used to personalize a user's PingOne Dock page by displaying their full name in the top right hand corner. Page 10
- - - Attribute Sources & User Lookup The important sections are highlighted. In this example the values represented are from Active Directory. Page 10
- - - Protocol Settings Verify that the Assertion Consumer Service URL matches what is shown in the screenshot below. For reference, this is appended to the base URL defined in the SP Connection section above. 1.3. Exporting PingFederate Metadata a. Export the metadata for the new PingOne connection you created by clicking on Manage All SP under SP Connections located on the PingFederate Main Menu page. Page 11
b. Click on Export Metadata next to the Connection you plan to use with PingOne. c. Do not select a Signing Certificate. Leave this field empty (default) and click on Next. Page 12
d. Confirm that the Signing Certificate says None, then click on Export and save the metadata.xml file to the local system. 1.4. Completing Identity Bridge Setup a. Upload the PingFederate Metadata File to PingOne by clicking on Choose File and selecting the metadata.xml file you exported from your PingFederate server. Click on Save to upload the file. Page 13
If the upload was successful you will see the following message: Page 14
b. Next, go to Setup -> Dock Configuration, check off Show Advanced Settings and click Edit. In this section, you can change your PingOne Dock Company ID. The name is automatically appended to the PingOne Dock URL (the URL you will use to access The PingOne Dock). *Note: Your PingOne Dock URL is always visible on your PingOne Dashboard, which is the first page you see after logging in to the PingOne admin portal or can be seen by clicking on Dashboard at the top. Page 15
Page 16
*Note: For additional guidance on PingOne Dock customization options, please refer to the following section in the online docs: http://documentation.pingidentity.com/pingone/employeessoadminguide/#configcloudde sktopsettings.html c. Further down the page you can also adjust the AP Attributes used by the PingOne Dock. The values should match what you configured in your Attribute Contract configuration in PingFederate. When ready to continue click on Update to save your setting and then click on Finish to complete setup. The PingOne Dock is now configured and ready for SSO. Page 17
1.5. Testing the PingOne Dock Access *Important Note: SSO users must be a member of at least one additional group other than Domain Users. a. Copy the the PingOne Dock URL from the Dashboard, open a new browser page and navigate to the URL. b. After being challenged by your IdP adapter and successfully authenticating, users will be taken to a personalized PingOne Dock. After closing the welcome message, they will see an empty desktop since no applications have yet been configured. Page 18
2. Adding Applications to the PingOne Dock & Managing User Access 2.1. Add an existing SSO URL or Non- - - SSO URL to the PingOne Dock a. From the My Application tab click on Add Application and select New SAML Application. b. Input the relevant Application Details, Application Name and Application Description are required fields. When ready click on Continue to Next Step. *Important Note: PNG is the only accepted image format. Page 19
c. Click on I have the SSO URL. You can enter an SSO URL you already use from PingFederate or alternatively you enter a non-sso URL such as a link to an intranet site that does or does not require additional user authentication. When ready, click on Save & Publish to continue. d. Here you can review and confirm that the SSO URL is correct (a clickable link is provided for testing). The Application can still be accessed directly just as it was before setting up PingOne, but will now also be available as a clickable icon in the PingOne Dock. When ready, click on Finish to complete the setup. *Important Note: Since the PingOne Dock is designed to provide an online web portal for users to seamlessly access SaaS Applications without entering a password, it is important to make your users aware of any non-sso Applications or URL links where they will be asked to enter credentials. Page 20
2.2. Managing User Groups Administrators can control what applications are displayed to users based on their Group Membership. Groups are pulled into PingOne when users log in to the PingOne Dock. a. To see or create User Groups, click on the Users tab at the top of the page. b. Since you have already logged in when testing the PingOne Dock Access in step 1.5., you should see some user groups listed here. Click the Edit button next to a group you wish to manage. c. Click the checkboxes next to the application you wish the members of this group to be able to see and use. When finished, click on Save. Page 21
2.3. Adding an Application from the Application Catalog a. Click on the Application Catalog tab (at the top of the page). Page 20
b. In the search field start to type the name of the Application you wish to configure. When you see it in the search results click on Details to show information about the app. Click on Setup to begin configuration. c. You are presented with some SSO information about the Application, as well as shown a set of instructions to follow. Below is an example of the SSO Instructions required to configure SalesForce, we will use this Application as an example and walk through the steps to configure it in PingOne. The instructions first tell us how to configure SSO in SalesForce. Once this is complete, you would click on Continue to Next Step. Page 21
Page 22
2.0 d. In the next step, you can configure the ACS URL and Entity ID. The fields are populated automatically, but with some applications, the instructions will tell you to modify these values to conform to the Service Provider s requirements. In this example, Salesforce uses the same values for all customers, so nothing needs to be changed. When ready, you would click Continue to Next Step. e. In this step, you will need to map the AP Attribute Name to the relevant IDP Attribute Name as required by the Application. Since SalesForce requires a user s email address as the SAML_SUBJECT, and we are using Active Directory, we enter mail which is the common Active Directory Attribute for the user s email address. *Important Note: Since some Applications may require the mapping of additional Attribute values (like email address in the above example) you may need to extend the Attribute Contract in PingFederate to include this..click on Continue to Next Step Page 23
Here, you can custom brand the logo and application info. For example, if you have an internal naming reference for the Application. When ready, you would click on Save & Publish Page 24
f. In the final step, you are able to review the configuration. This is a summary of important information that may be required by the Service Provider to complete the setup of SSO for their Application. Links are provided again at the bottom to download the PingOne signing certificate as well as the PingOne Metadata, which has the certificate embedded. You are also given the SSO URL for the application, including a clickable link for testing. This can be used to SSO directly to the Application without going through the PingOne Dock. Click on Finish to complete the setup. Page 25
g. Back at the My Application tab, you will see your newly added Application. Clicking on Initiate Single Sign-On (SSO) URL allows you to test the Applications SSO URL. 2.4. Manually Adding a New SAML Application *Important Note: This feature is used for adding internal SAML enabled Applications. If you wish to configure an Application from an external Service Provider and cannot find it in the Application Catalog, please fill out this request form at https://www.pingidentity.com/en/products/pingone/request-a-saas.html to have it added for you. a. From the My Application tab click on Add Application and select New SAML Application. Page 26
Page 27
b. Input the relevant Application Details, Application Name and Application Description are required fields. When ready, click on Continue to Next Step. *Important Note: PNG is the only accepted image format. Page 28
c. Next, you will need to input the SAML configuration details for your Application. You can either upload the Application s Metadata file or manually enter the ACS URL, the Entity ID, and upload the Verification Certificate which are all required. A Download link for the PingOne Metadata is provided for configuring the connection on the Application side. When ready, click on Continue to Next Step. Page 29
d. Here, you will need to configure SSO Attribute Mapping. Click on Add new attribute to create new values as required by your application. When ready, click on Save & Publish. Page 30
e. In the final step, you are able to review the configuration. This is a summary of important information that may be required by the Service Provider to complete the setup of SSO for the Application. Links are provided again at the bottom to download the PingOne signing certificate, as well as the PingOne Metadata, which has the certificate embedded. You are also given the SSO URL for the application, including a clickable link for testing. This can be used to SSO directly to the Application without going through the PingOne Dock. Click on Finish to complete the setup. 2.5. Manually Adding a Basic SSO Application *Important Note: This feature is used for adding internal Basic SSO Applications. If you wish to configure an Application from an external Service Provider and cannot find it in the Application Catalog, please fill out the request form at https://www.pingidentity.com/en/products/pingone/request-a-saas.html to have it added for you. Page 31
a) From the My Application tab click on Add Application and select New Basic SSO Application. b) Follow the instructions outlined in the online documentation: http://documentation.pingidentity.com/pingone/employeessoadminguide/ - enablebasicssoapp.html Page 32